- 14 Feb, 2011 2 commits
-
-
Jesper Juhl authored
In drivers/net/usb/hso.c::hso_create_bulk_serial_device() we have this code: ... serial = kzalloc(sizeof(*serial), GFP_KERNEL); if (!serial) goto exit; ... exit: hso_free_tiomget(serial); ... hso_free_tiomget() directly dereferences its argument, which in the example above is a NULL pointer, ouch. I could just add a 'if (serial)' test at the 'exit' label, but since most freeing functions in the kernel accept NULL pointers (and it seems like this was also assumed here) I opted to instead change 'hso_free_tiomget()' so that it is safe to call it with a NULL argument. I also modified the function to get rid of a pointles conditional before the call to 'usb_free_urb()' since that function already tests for NULL itself - besides fixing the NULL deref this change also buys us a few bytes in size. Before: $ size drivers/net/usb/hso.o text data bss dec hex filename 32200 592 9960 42752 a700 drivers/net/usb/hso.o After: $ size drivers/net/usb/hso.o text data bss dec hex filename 32196 592 9960 42748 a6fc drivers/net/usb/hso.o Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Jesper Juhl noticed that l2_pull_iqueue() does not check to see if alloc_skb() fails. Fix this by first trying to reallocate the headroom if necessary, rather than later after we've made hard to undo state changes. Reported-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 13 Feb, 2011 3 commits
-
-
Jesper Juhl authored
USB Network driver infrastructure: Fix leak when usb_autopm_get_interface() returns less than zero in kevent(). We'll leak the memory allocated to 'urb' in drivers/net/usb/usbnet.c:kevent() when we 'goto fail_lowmem' and the 'urb' variable goes out of scope while still completely unused. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jesper Juhl authored
nla_nest_start() may return NULL. If it does then we'll blow up in nla_nest_end() when we dereference the pointer. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
John Fastabend authored
The app_data priority may not be the same for all net devices. In order for stacks with application notifiers to identify the specific net device dcb_app_type should be passed in the ptr. This allows handlers to use dev_get_by_name() to pin priority to net devices. Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 12 Feb, 2011 3 commits
-
-
Herbert Xu authored
As it turns out we never need to walk through the list of multicast groups subscribed by the bridge interface itself (the only time we'd want to do that is when we shut down the bridge, in which case we simply walk through all multicast groups), we don't really need to keep an hlist for mp->mglist. This means that we can replace it with just a single bit to indicate whether the bridge interface is subscribed to a group. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Herbert Xu authored
In a couple of spots where we are supposed to modify the port group timer (p->timer) we instead modify the bridge interface group timer (mp->timer). The effect of this is mostly harmless. However, it can cause port subscriptions to be longer than they should be, thus making snooping less effective. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Herbert Xu authored
The list mp->mglist is used to indicate whether a multicast group is active on the bridge interface itself as opposed to one of the constituent interfaces in the bridge. Unfortunately the operation that adds the mp->mglist node to the list neglected to check whether it has already been added. This leads to list corruption in the form of nodes pointing to itself. Normally this would be quite obvious as it would cause an infinite loop when walking the list. However, as this list is never actually walked (which means that we don't really need it, I'll get rid of it in a subsequent patch), this instead is hidden until we perform a delete operation on the affected nodes. As the same node may now be pointed to by more than one node, the delete operations can then cause modification of freed memory. This was observed in practice to cause corruption in 512-byte slabs, most commonly leading to crashes in jbd2. Thanks to Josef Bacik for pointing me in the right direction. Reported-by: Ian Page Hands <ihands@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 11 Feb, 2011 3 commits
-
-
Steffen Klassert authored
Commit 5811662b ("net: use the macros defined for the members of flowi") accidentally removed the setting of IPPROTO_GRE from the struct flowi in ipgre_tunnel_xmit. This patch restores it. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Hiroaki SHIMODA authored
Commit 80c802f3 (xfrm: cache bundles instead of policies for outgoing flows) introduced possible oopse when dst_alloc returns NULL. Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Randy Dunlap authored
-I (include path) should be specified for host builds. This one was overlooked somehow. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=25902Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Reported-by: Alexey Salmin <alexey.salmin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 10 Feb, 2011 3 commits
-
-
Bruce Rogers authored
Under harsh testing conditions, including low memory, the guest would stop receiving packets. With this patch applied we no longer see any problems in the driver while performing these tests for extended periods of time. Make sure napi is scheduled subsequent to each napi_enable. Signed-off-by: Bruce Rogers <brogers@novell.com> Signed-off-by: Olaf Kirch <okir@suse.de> Cc: stable@kernel.org Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
In x25_link_free(), we destroy 'nb' before dereferencing 'nb->dev'. Don't do this, because 'nb' might be freed by then. Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Tested-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Tomoya MORINAGA authored
Previous patch "[PATCH 1/3] pch_can: fix 800k comms issue" is wrong. I should have modified tseg1_min not tseg2_min. This patch reverts tseg2_min to 1 and set tseg1_min to 2. Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 09 Feb, 2011 8 commits
-
-
David S. Miller authored
Some cases try to modify const strings, and in any event the CVS revision strings have not changed in over ten years making these printouts completely worthless. Just kill all of this stuff off. Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Randy Dunlap authored
From: Randy Dunlap <randy.dunlap@oracle.com> softing_cs.c uses kzalloc & kfree, so it needs to include linux/slab.h. drivers/net/can/softing/softing_cs.c:234: error: implicit declaration of function 'kfree' drivers/net/can/softing/softing_cs.c:271: error: implicit declaration of function 'kzalloc' Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
-
Toshiharu Okada authored
This driver will be in a deadlock, When the rx offload is set by ethtool. The pch_gbe_reinit_locked function was modified. Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
The TCP tracking code has a special case that allows to return NF_REPEAT if we receive a new SYN packet while in TIME_WAIT state. In this situation, the TCP tracking code destroys the existing conntrack to start a new clean session. [DESTROY] tcp 6 src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 [ASSURED] [NEW] tcp 6 120 SYN_SENT src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 [UNREPLIED] src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 However, this is a problem for the iptables' CT target event filtering which will not work in this case since the conntrack template will not be there for the new session. To fix this, we reassign the conntrack template to the packet if we return NF_REPEAT. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
-
Tomoya authored
Currently, in case reload pch_can, pch_can not to be able to catch interrupt. The cause is bus-master is not set in pch_can. Thus, add enabling bus-master processing. Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Tomoya authored
Currently, when rmmod pch_can, kernel failure occurs. The cause is pci_iounmap executed before pch_can_reset. Thus pci_iounmap moves after pch_can_reset. Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Tomoya authored
Currently, 800k comms fails since prop_seg set zero. (EG20T PCH CAN register of prop_seg must be set more than 1) To prevent prop_seg set to zero, change tseg2_min 1 to 2. Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 08 Feb, 2011 14 commits
-
-
David S. Miller authored
In commit aa942104 ("net: init ingress queue") we moved the allocation and lock initialization of the queues into alloc_netdev_mq() since register_netdevice() is way too late. The problem is that dev->type is not setup until the setup() callback is invoked by alloc_netdev_mq(), and the dev->type is what determines the lockdep class to use for the locks in the queues. Fix this by doing the queue allocation after the setup() callback runs. This is safe because the setup() callback is not allowed to make any state changes that need to be undone on error (memory allocations, etc.). It may, however, make state changes that are undone by free_netdev() (such as netif_napi_add(), which is done by the ipoib driver's setup routine). The previous code also leaked a reference to the &init_net namespace object on RX/TX queue allocation failures. Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(), cannot make state changes which need to be undone on failure. There is no cleanup mechanism available at this point. So we have to add the caif private instance to the global list once we are sure that register_netdev() has succedded in ->newlink(). Otherwise, if register_netdev() fails, the caller will invoke free_netdev() and we will have a reference to freed up memory on the chnl_net_list. Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alexey Orishko authored
Specification links: - CDC NCM errata link: http://www.usb.org/developers/devclass_docs/NCM10_012011.zip - CDC and WMC errata link: http://www.usb.org/developers/devclass_docs/CDC1.2_WMC1.1_012011.zip Changes: - driver updated to match cdc.h header with errata changes - added support for USB_CDC_SET_NTB_INPUT_SIZE control request with 8 byte length - fixes to comply with specification: send only control requests supported by device, set number of datagrams for IN direction, connection speed structure update, etc. - packet loss fixed for tx direction; misleading flag renamed. - adjusted hard_mtu value. Signed-off-by: Alexey Orishko <alexey.orishko@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alexey Orishko authored
Changes are based on the following documents: - CDC NCM errata: http://www.usb.org/developers/devclass_docs/NCM10_012011.zip - CDC and WMC errata link: http://www.usb.org/developers/devclass_docs/CDC1.2_WMC1.1_012011.zipSigned-off-by: Alexey Orishko <alexey.orishko@stericsson.com> Acked-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
-
Don Skidmore authored
This will synchronize the version string with that of the latest source forge driver which shares its functionality. Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Don Skidmore authored
The ixgbe_fcoe_ddp_get function wasn't initializing one of its variables and this was producing compiler warnings. This patch cleans that up. Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com> Tested-by: Stephen Ko <stephen.s.ko@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Alexander Duyck authored
This change fixes VM pool allocation issues based on MAC address filtering, as well as limits the scope of VF access to promiscuous mode. Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com> Acked-by: Greg Rose <gregory.v.rose@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Don Skidmore authored
We have found a hardware erratum on 82599 hardware that can lead to unpredictable behavior when Header Splitting mode is enabled. So we are no longer enabling this feature on affected hardware. Please see the 82599 Specification Update for more information. CC: stable@kernel.org Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com> Tested-by: Stephen Ko <stephen.s.ko@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Emil Tantilov authored
Caught with gcc 4.6 -Wunused-but-set-variable Remove unused napi_vectors variable. Fix the use of reset_bit in ixgbe_reset_hw_X540() Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Tested-by: Stephen Ko <stephen.s.ko@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Florian Fainelli authored
This patch adds support for Marvell Alask M88E188R PHY chips. Support for other M88* PHYs is already there, so there is nothing more to add than its PHY id. CC: Dirk Brandewie <dirk.j.brandewie@intel.com> Signed-off-by: Florian Fainelli <ffainelli@freebox.fr> Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Jesse Brandeburg authored
Currently the driver increments the tx_timeout counter (an error counter) when simply resetting the part with outstanding transmit work pending. This is an unnecessary count of an error, when all we should be doing is just resetting the part and discarding the transmits. With this change the only increment of tx_timeout is when the stack calls the watchdog reset function due to a true Tx timeout. Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Reviewed-by: Bruce Allan <bruce.w.allan@intel.com> Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
-
- 07 Feb, 2011 4 commits
-
-
Sven Eckelmann authored
We access the data inside the skbs of two fragments directly using memmove during the merge. The data of the skb could span over multiple skb pages. An direct access without knowledge about the pages would lead to an invalid memory access. Signed-off-by: Sven Eckelmann <sven@narfation.org> [lindner_marek@yahoo.de: Move return from function to the end] Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
-
andrew hendry authored
Originally x25_parse_facilities returned -1 for an error 0 meaning 0 length facilities >0 the length of the facilities parsed. 5ef41308 ("x25: Prevent crashing when parsing bad X.25 facilities") introduced more error checking in x25_parse_facilities however used 0 to indicate bad parsing a6331d6f ("memory corruption in X.25 facilities parsing") followed this further for DTE facilities, again using 0 for bad parsing. The meaning of 0 got confused in the callers. If the facilities are messed up we can't determine where the data starts. So patch makes all parsing errors return -1 and ensures callers close and don't use the skb further. Reported-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Felix Fietkau authored
Using skb_header_cloned to check if it's safe to write to the skb is not enough - mac80211 also touches the tailroom of the skb. Initially this check was only used to increase a counter, however this commit changed the code to also skip skb data reallocation if no extra head/tailroom was needed: commit 4cd06a34 mac80211: skip unnecessary pskb_expand_head calls It added a regression at least with iwl3945, which is fixed by this patch. Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Felix Fietkau <nbd@openwrt.org> Tested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Don Fry authored
With commit 554d1d02 only one RF_KILL interrupt will be seen by the driver when the interface is down. Re-enable the interrupt when it occurs to see all transitions. Signed-off-by: Don Fry <donald.h.fry@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
-